第15章 生产环境部署实践
15.1 部署架构
监控
监控
监控
监控
负载均衡
节点1
节点2
节点3
数据存储
监控
15.2 安全加固
安全检查清单
生产安全
网络安全
防火墙规则
TLS加密
禁用明文端口
认证授权
禁用匿名
强密码
定期更新
访问控制
最小权限
主题隔离
IP限制
日志审计
操作日志
异常检测
定期审查
配置示例
bash
# 生产环境配置
listener 8883
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
cafile /etc/mosquitto/certs/ca.crt
require_certificate true
tls_version tlsv1.2
allow_anonymous false
password_file /etc/mosquitto/passwd
acl_file /etc/mosquitto/acl
max_connections -1
max_inflight_messages 2015.3 Docker部署
Docker Compose生产配置
yaml
version: '3.8'
services:
mosquitto:
image: eclipse-mosquitto:2
restart: always
ports:
- "1883:1883"
- "8883:8883"
volumes:
- ./config:/mosquitto/config
- ./data:/mosquitto/data
- ./log:/mosquitto/log
environment:
- TZ=Asia/Shanghai
deploy:
resources:
limits:
cpus: '2'
memory: 1G
reservations:
cpus: '1'
memory: 512M
healthcheck:
test: ["CMD", "mosquitto_sub", "-t", "$$SYS/broker/uptime", "-C", "1"]
interval: 30s
timeout: 10s
retries: 315.4 Kubernetes部署
yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mosquitto
spec:
serviceName: mosquitto
replicas: 3
selector:
matchLabels:
app: mosquitto
template:
metadata:
labels:
app: mosquitto
spec:
containers:
- name: mosquitto
image: eclipse-mosquitto:2
ports:
- containerPort: 1883
- containerPort: 8883
volumeMounts:
- name: config
mountPath: /mosquitto/config
- name: data
mountPath: /mosquitto/data
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1Gi"
cpu: "1000m"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi15.5 备份与恢复
bash
#!/bin/bash
# 备份脚本
BACKUP_DIR="/backup/mosquitto/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# 备份配置
cp -r /etc/mosquitto $BACKUP_DIR/
# 备份数据
cp -r /var/lib/mosquitto $BACKUP_DIR/
# 备份密码和ACL
cp /etc/mosquitto/passwd $BACKUP_DIR/
cp /etc/mosquitto/acl $BACKUP_DIR/
# 压缩
tar -czf $BACKUP_DIR.tar.gz $BACKUP_DIR
# 恢复
tar -xzf $BACKUP_DIR.tar.gz
cp -r $BACKUP_DIR/* /15.6 本章小结
掌握了生产环境部署的最佳实践。